[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ next ]
author = ?
topics = ?
Each user of a UNIX system such as Debian has a username which uniquely identifies them. Usernames are associated with user IDs (or UIDs), and in fact it is the UID which the underlying system uses to identify users; usernames, however, are more mnemonic and tend to be used for most day-to-day purposes.
Usernames are typically composed of alphanumeric characters, that is letters and numbers. Most usernames are forms of the user's own name (for instance "jane", "janedoe", or "jdoe") or relate to a role or a pseudo-user created for the purpose of administering part of the system, for instance "root" (for the superuser account) and "www-data" (for the account which owns and runs web servers and related services under Debian).
UIDs are numbers from zero to 65534. The numbers are grouped as follows:
UIDs 0-99 are globally allocated by the Debian project and are used for system accounts. The "root" account, for instance, is UID 0.
UIDs 100-999 are for system users which have not been allocated by the Debian project.
UIDs 1000-29999 are normal user accounts.
UID 65534 is user "nobody", an account with no rights or permissions.
For more information about the allocation of UIDs, see the Debian policy manual.
Users may usually be referred to by either username or UID.
Groups are used to refer to logical groups of users on the system. Groups have group IDs (GIDs) just as users have UIDs, and the numeric ranges for different types of groups are the same as those for users.
A typical example of a group on the system might be "webadmin" where people who administer a website might be grouped together. This would allow users to create files and directories to which all of the "webadmin" group had read or write access.
Groups may usually be referred to by either their name or GID.
Each user on a Debian system has a password which they must use to login to the system. This password is initially specified at the time of account creation, and may be changed at any time by the user or by the system administrator.
Passwords are stored in an encrypted format on the system. The type of encryption used is referred to as one-way or "trapdoor" encryption, meaning that it cannot be reversed to find the original password. Instead, the password typed by the user at login time is similarly encrypted, and the two encrypted versions are compared to see if they are the same.
Passwords are typically composed of alphanumeric and punctuation characters. It is considered good practice to choose a password which contains a mixture of upper and lower case characters, numbers, and punctuation, as this makes it harder to guess and less susceptible to a "dictionary" attack, whereby each word in a dictionary is encrypted and the encrypted versions compared to the encrypted passwords on the system.
Shadow passwords are used as a means of hiding even the encrypted form of password from users. The normal password file is world-readable, however the shadow password file is only readable by the superuser.
A concept related to users, in that it is often part of the account creation process, is that of quotas. Quotas allow the system administrator to restrict the amount of disk space used by a user.
This subject is discussed in more detail in the filesystems chapter of this manual. See Filesystems and Storage Media, Chapter 6 for details.
New users are usually added using the adduser
tool. Typical
syntax is adduser username
, which will prompt the
administrator for various information such as the user's full name, initial
home directory, et cetera.
There is also a useradd
program, which predates
adduser
. Using useradd
is discouraged.
User information (such as the user's home directory location, real name, etc)
may be changed using the usermod
program. The chfn
program is intended specifically for changing the "full name" and
other contact detail stored in the password file, while the chsh
command may be used to change a user's default shell.
You may also change user information by editing the /etc/passwd
file directly. The best tool for doing this is vipw
program,
which locks the file and brings it up for editing in your favourite editor (as
found in the VISUAL or EDITOR environment variables).
User accounts can be removed using the userdel
command.
If you are running a large system, you might want to make a policy of not deleting user accounts, instead just marking them disabled . You may have files on disk or backup tapes belonging to the user to be deleted, and if you later re-use the numeric UID those files change owner. Unix uses the UID to determine who owns files, and can not know that the user is not the same.
The system administrator may change any user's password by typing passwd
username
.
If you are using shadow passwords, you can set up the system so that passwords expire after a certain number of days. When a password is due for expiry, the user is warned and must change their password to avoid having their account locked or disabled.
The tool used to set password expiry times is chage
.
Groups may be created by using the addgroup
tool. Typical syntax
for the addgroup
command is addgroup
groupname
.
Administrators may also choose to add groups to the /etc/group
directly. The best tool for doing this is the vigr
program, which
locks the file and brings it up for editing in your favourite editor (as found
in the VISUAL or EDITOR environment variables).
Groups may be edited using the groupmod
tool.
Administrators may also choose to edit the /etc/group
directly.
The best tool for doing this is the vigr
program, which locks the
file and brings it up for editing in your favourite editor (as found in the
VISUAL or EDITOR environment variables).
Groups may be deleted using the groupdel
tool.
Administrators may also choose to delete groups from the
/etc/group
directly. The best tool for doing this is the
vigr
program, which locks the file and brings it up for editing in
your favourite editor (as found in the VISUAL or EDITOR environment variables).
Shadow passwords can be turned on and off using the shadowconfig
tool.
See also shadowconfig(8)
In the short form, these commands can be used by simply typing adduser username or addgroup groupname. This provides an interactive interface which will prompt the administrator for various values, such as a user's home directory. There are also a number of command line options which can be used to specify these values.
See also adduser(1)
.
See also chage(1)
.
The chfn
command may be used to change a user's "full
name" or other information stored in the password file. If no command
line options are used, the command runs in an interactive fashion, prompting
for input for each field.
See also chfn(1)
.
The basic syntax of the chsh
command is chsh -s
shell username. However, if the -s
parameter is omitted, the administrator will be prompted for which shell to
use. The username is also optional: only the superuser may change other users'
shells; ordinary users may change their own shell simply by typing
chsh
See also chsh(1)
.
The basic form of the passwd
command (as used by the system
administrator) is passwd username, which will prompt
for the user's new password.
See also passwd(1)
.
The basic syntax of the userdel
command is userdel
username.
See also userdel(8)
.
See also vipw(1)
.
The /etc/passwd
file consists of user records, one to a line.
Each record contains multiple fields, separated by colons (:).
The fields are:
username
encrypted password (or x if shadow passwords are in use)
UID
default GID
real name (also known as the GECOS field)
home directory
default shell
See also passwd(5)
.
The /etc/group
file consists of group records, one to a line.
Each record contains multiple fields, separated by colons (:).
The fields are:
group name
encrypted group password (or x if shadow passwords are in use)
GID
group members' usernames, comma-separated
See also group(5)
.
If shadow passwords are being used, the /etc/shadow
file contains
users' encrypted passwords and other information about the passwords. Its
fields are colon-separated as for /etc/passwd
, and are as follows:
username
encrypted password
Days since Jan 1, 1970 that password was last changed
Days before password may be changed
Days after which password must be changed
Days before password is to expire that user is warned
Days after password expires that account is disabled
Days since Jan 1, 1970 that account is disabled
A reserved field
The password expiry related fields are modified by the chage
program.
See also: shadow(5)
[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ next ]
Debian GNU/Linux System Administrator's Manual
[email protected]
[email protected]
[email protected]